examples · errors · 8 / 19
8. 401 - token revoked or expired
← Errors exampleswhat this error means
The token parsed correctly, but is either past its expiry timestamp or was revoked from the admin console. The engine treats both cases identically - the token is no longer trusted.
what triggers it
A bearer token whose exp claim is in the past, or whose ID has been added to the revocation set.
POST /v1/tenants/:t/sql - expired token
curl -X POST "https://$OC_HOST/v1/tenants/$OC_TENANT/sql" \
-H "Authorization: Bearer eyJ...expired..." \
-H "Content-Type: application/json" \
-d '{"sql": "SELECT 1"}'the canonical response body
{
"error": "unauthorized",
"message": "token expired at 2026-04-30T12:00:00Z",
"retry": false
}how to recover
- Issue a fresh token in the dashboard at /app/tokens and update your secret store.
- If the old token was revoked (security event), rotate any downstream consumers that share it.
- The SDKs surface this as a structured
TokenExpiredErrorso you can wire automatic refresh in long-running services. retry: false- the same token will keep failing. Refresh first.
common upstream causes
- Token issued with a short TTL for an integration test that ran later than expected.
- System clock drift between the client and the engine - if the client clock is far ahead, valid tokens look expired.
- Team member rotated the token in the dashboard but didn't redeploy the consumer.
- Token explicitly revoked after an offboarding.